Hi All,
I have created myuser user and i created custom module for user. i have followed same below steps. #vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
On Wed, 2009-02-25 at 15:38 +0530, prakash hallalli wrote:
Hi All,
I have created myuser user and i created custom module foruser. i have followed same below steps. #vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser) --
cp /etc/selinux/targeted/contexts/users/user_u /etc/selinux/targeted/contexts/users/myuser
sudo semanage user -a -L s0 -r s0-s0 -R "myuser_r" -P user myuser
sudo useradd -Z myuser prakash
hth, Dominick
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, 2009-02-25 at 15:38 +0530, prakash hallalli wrote:
Hi All,
I have created myuser user and i created custom module foruser. i have followed same below steps. #vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
My previous example is incomplete. In this example i will show you exactly how its done:
1. Create a source policy module: _________________________________
mkdir ~/myuser; cd ~/myuser; echo "policy_module(myuser, 0.0.1)" > myuser.te; echo "role myuser_r;" >> myuser.te; echo "userdom_unpriv_user_template(myuser)" >> myuser.te;
2. Build the source policy module: __________________________________
make -f /usr/share/selinux/devel/Makefile
3. Install the binary policy module: ____________________________________
sudo semodule -i myuser.pp
4. Create default contexts for myuser: ______________________________________
echo "system_r:local_login_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:remote_login_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:sshd_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:crond_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:xdm_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_su_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_sudo_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:initrc_su_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
5. Create a SELinux user mapping for myuser: ____________________________________________
sudo semanage user -a -L s0 -r s0-s0 -R "myuser_r" -P user myuser
6. Add new myuser user for prakash: ___________________________________
sudo useradd -Z myuser prakash
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi All,
I have created 'myuser' user and created custom module policy for user. I have installed successfully module, but when i logging myuser in i will get bash prompt.
I have followed as below steps for creating module.
#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1 #useradd Z myuser1 myuser1
I did all the step when i try login in system following error will display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
On Wed, 2009-02-25 at 16:01 +0530, prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custom module policyfor user. I have installed successfully module, but when i logging myuser in i will get bash prompt.
I have followed as below steps for creating module.#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1
#useradd Z myuser1 myuser1
I did all the step when i try login in system following error will display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
1. Create a source policy module: _________________________________
mkdir ~/myuser; cd ~/myuser; echo "policy_module(myuser, 0.0.1)" > myuser.te; echo "role myuser_r;" >> myuser.te; echo "userdom_unpriv_user_template(myuser)" >> myuser.te;
2. Build the source policy module: __________________________________
make -f /usr/share/selinux/devel/Makefile
3. Install the binary policy module: ____________________________________
sudo semodule -i myuser.pp
4. Create default contexts for myuser: ______________________________________
echo "system_r:local_login_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:remote_login_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:sshd_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:crond_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:xdm_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_su_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_sudo_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "system_r:initrc_su_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
echo "myuser_r:myuser_t:s0 myuser_r:myuser_t:s0"
/etc/selinux/targeted/contexts/users/myuser
5. Create a SELinux user mapping for myuser: ____________________________________________
sudo semanage user -a -L s0 -r s0-s0 -R "myuser_r" -P user myuser
6. Add new myuser user for prakash: ___________________________________
sudo useradd -Z myuser prakash
Thanks, Prakash. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custom module policy foruser. I have installed successfully module, but when i logging myuser in i will get bash prompt.
I have followed as below steps for creating module.#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1 #useradd Z myuser1 myuser1
I did all the step when i try login in system following error will display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.
Depending on the policy you might need to relabe the homedir to get the labels correct.
restorecon -R -v /home
Hi All,
I am using CentOS-5 x86_64, I have followed what u have sent the steps. But still i am getting same user login problem. I am not able to login user properly in system.
These are i have followed the steps.
1. Create a source policy module:-
#cd /home/prakash #vi prakash.te policy_module(prakash, 0.0.1) role prakash_r; userdom_unpriv_user_template(prakash);
2. Build the source policy module:
#make -f /usr/share/selinux/devel/Makefile
3. Install the binary policy module:
#semodule -i prakash.pp
4. Create default contexts for prakash:
#cd /etc/selinux/targeted/contexts/users #vi prakash system_r:system_local_login_t:s0 prakash_r:prakash_t:s0 system_r:remote_login_t:s0 prakash_r:prakash_t:s0 system_r:sshd_t:s0 prakash_r:prakash_t:s0 system_r:crond_t:s0 prakash_r:prakash_t:s0 system_r:xdm_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_su_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_sudo_t:s0 prakash_r:prakash_t:s0 system_r:initrc_su_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_t:s0
5. Create a SELinux user mapping for prakash:
#semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash
6. Add new prakash user for user1:
#useradd -Z prakash user1
7. when i will try to login in the system, will get permission denied message.
gtt login: user1 password: XXXXXX
-bash: /home/user1/.bash_profile: Permission denied -bash-3.1$id uid=524(user1) gid=525(user1) groups=525(user1) context=prakash:prakash_r:prakash_t
I tryed to one more user then all so i got same problem. I am not sure what i did the mistakes, Please help me what i have to do.
Thanks, Prakash, k, h.
On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custom module policyfor
user. I have installed successfully module, but when i logging myuser in i will get bash prompt.
I have followed as below steps for creating module.#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1 #useradd Z myuser1 myuser1
I did all the step when i try login in system following error will
display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.
Depending on the policy you might need to relabe the homedir to get the labels correct.
restorecon -R -v /home
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmlaCEACgkQrlYvE4MpobMMqACgyOEwLuvH0xgp2I97QXOtNLEa YP4AnRe8ozJhduWstWubPIO3qxptGO8E =UjzM -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
prakash hallalli wrote:
Hi All,
I am using CentOS-5 x86_64, I have followed what u have sent thesteps. But still i am getting same user login problem. I am not able to login user properly in system.
These are i have followed the steps. 1. Create a source policy module:- #cd /home/prakash #vi prakash.te policy_module(prakash, 0.0.1) role prakash_r; userdom_unpriv_user_template(prakash); 2. Build the source policy module: #make -f /usr/share/selinux/devel/Makefile 3. Install the binary policy module: #semodule -i prakash.pp 4. Create default contexts for prakash: #cd /etc/selinux/targeted/contexts/users #vi prakash system_r:system_local_login_t:s0 prakash_r:prakash_t:s0 system_r:remote_login_t:s0 prakash_r:prakash_t:s0 system_r:sshd_t:s0 prakash_r:prakash_t:s0 system_r:crond_t:s0 prakash_r:prakash_t:s0 system_r:xdm_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_su_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_sudo_t:s0 prakash_r:prakash_t:s0 system_r:initrc_su_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_t:s0
Create a SELinux user mapping for prakash:
#semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash
Add new prakash user for user1:
#useradd -Z prakash user1
when i will try to login in the system, will get permission denied
message.
gtt login: user1 password: XXXXXX
-bash: /home/user1/.bash_profile: Permission denied -bash-3.1$id uid=524(user1) gid=525(user1) groups=525(user1) context=prakash:prakash_r:prakash_t
I tryed to one more user then all so i got same problem. I am not sure what i did the mistakes, Please help me what i have to do.
Thanks, Prakash, k, h.
On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh dwalsh@redhat.com wrote:
prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custom module policyfor
user. I have installed successfully module, but when i logging myuser in i will get bash prompt.
I have followed as below steps for creating module.#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1 #useradd Z myuser1 myuser1
I did all the step when i try login in system following error will
display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.
Depending on the policy you might need to relabe the homedir to get the labels correct.
restorecon -R -v /home
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the AVC messages from /var/log/audit/audit.log.
Hi All,
Thanks for replay to me. This is am getting audit messages form /var/log/audit/audit.log.
type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22 items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old auid=4294967295 new auid=527 type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=prakash:prakash_r:prakash_t:s0 selected-context=prakash:prakash_r:prakash_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22 items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Thanks,
Prakah
On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
prakash hallalli wrote:
Hi All,
I am using CentOS-5 x86_64, I have followed what u have sent thesteps. But still i am getting same user login problem. I am not able to login user properly in system.
These are i have followed the steps. 1. Create a source policy module:- #cd /home/prakash #vi prakash.te policy_module(prakash, 0.0.1) role prakash_r; userdom_unpriv_user_template(prakash); 2. Build the source policy module: #make -f /usr/share/selinux/devel/Makefile 3. Install the binary policy module: #semodule -i prakash.pp 4. Create default contexts for prakash: #cd /etc/selinux/targeted/contexts/users #vi prakash system_r:system_local_login_t:s0 prakash_r:prakash_t:s0 system_r:remote_login_t:s0 prakash_r:prakash_t:s0 system_r:sshd_t:s0prakash_r:prakash_t:s0
system_r:crond_t:s0prakash_r:prakash_t:s0
system_r:xdm_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_su_t:s0 prakash_r:prakash_t:s0 prakash_r:prakash_sudo_t:s0 prakash_r:prakash_t:s0 system_r:initrc_su_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_t:s0 prakash_r:prakash_t:s0
Create a SELinux user mapping for prakash:
#semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash
Add new prakash user for user1:
#useradd -Z prakash user1
when i will try to login in the system, will get permission denied
message.
gtt login: user1 password: XXXXXX
-bash: /home/user1/.bash_profile: Permission denied -bash-3.1$id uid=524(user1) gid=525(user1) groups=525(user1) context=prakash:prakash_r:prakash_t
I tryed to one more user then all so i got same problem. I am not sure what i did the mistakes, Please help me what i have to do.
Thanks, Prakash, k, h.
On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh dwalsh@redhat.com
wrote:
prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custom module policyfor
user. I have installed successfully module, but when i logging myuser
in
i will get bash prompt. I have followed as below steps for creating module.#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r; userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1 #useradd Z myuser1 myuser1
I did all the step when i try login in system following error will
display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.
Depending on the policy you might need to relabe the homedir to get the labels correct.
restorecon -R -v /home
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the AVC messages from /var/log/audit/audit.log. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmoOc0ACgkQrlYvE4MpobNI/QCeOM9/9g9s3qIEb/b+w5gdGF3e VxYAnROI42+yd2xSycJJPqEVjovwMuVA =zXsG -----END PGP SIGNATURE-----
On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
Hi All,
Thanks for replay to me. This is am getting audit messages form /var/log/audit/audit.log.
type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22 items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old auid=4294967295 new auid=527 type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=prakash:prakash_r:prakash_t:s0 selected-context=prakash:prakash_r:prakash_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22 items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Thanks,
Prakah
The issue is that RHEL5 targeted policy is not designed to target user domains.
The avc denials that you provided do not give me a clue about what is stopping this from working.
It may well be that the denials responsible is hidden.
You can expose hidden denials using :
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
To restore the defaults you would execute:
# semodule -b /usr/share/selinux/targeted/base.pp
After you have exposed the hidden avc denials you may be presented with more clues in audit.log as to what is stopping functionality.
But again, the big issue here is that RHEL5 targeted policy is not designed to target users.
This functionality does work in Fedora 9 and up.
hth , Dominick
On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 prakash hallalli wrote: > Hi All, > > I am using CentOS-5 x86_64, I have followed what u have sent the > steps. > But still i am getting same user login problem. I am not able to > login > user properly in system. > > These are i have followed the steps. > > 1. Create a source policy module:- > > #cd /home/prakash > #vi prakash.te > policy_module(prakash, 0.0.1) > role prakash_r; > userdom_unpriv_user_template(prakash); > > 2. Build the source policy module: > > #make -f /usr/share/selinux/devel/Makefile > > 3. Install the binary policy module: > > #semodule -i prakash.pp > > 4. Create default contexts for prakash: > > #cd /etc/selinux/targeted/contexts/users > #vi prakash > system_r:system_local_login_t:s0 prakash_r:prakash_t:s0 > system_r:remote_login_t:s0 prakash_r:prakash_t:s0 > system_r:sshd_t:s0 prakash_r:prakash_t:s0 > system_r:crond_t:s0 prakash_r:prakash_t:s0 > system_r:xdm_t:s0 prakash_r:prakash_t:s0 > prakash_r:prakash_su_t:s0 prakash_r:prakash_t:s0 > prakash_r:prakash_sudo_t:s0 prakash_r:prakash_t:s0 > system_r:initrc_su_t:s0 prakash_r:prakash_t:s0 > prakash_r:prakash_t:s0 prakash_r:prakash_t:s0 > > 5. Create a SELinux user mapping for prakash: > > #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user prakash > > 6. Add new prakash user for user1: > > #useradd -Z prakash user1 > > 7. when i will try to login in the system, will get permission denied > message. > > gtt login: user1 > password: XXXXXX > > -bash: /home/user1/.bash_profile: Permission denied > -bash-3.1$id > uid=524(user1) gid=525(user1) groups=525(user1) > context=prakash:prakash_r:prakash_t > > I tryed to one more user then all so i got same problem. I am not sure > what i did the mistakes, Please help me what i have to do. > > Thanks, > Prakash, k, h. > > On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > > prakash hallalli wrote: >>>> Hi All, >>>> >>>> I have created 'myuser' user and created custom module policy > for >>>> user. >>>> I have installed successfully module, but when i logging myuser in >>>> i will get bash prompt. >>>> >>>> I have followed as below steps for creating module. >>>> >>>> #vi myuser.te >>>> policy_module(myuser, 0.0.1) >>>> role myuser_r; >>>> userdom_unpriv_user_templete(myuser) >>>> >>>> #make -f /usr/share/selinux/devel/Makefile >>>> #sudo semodule i myuser.pp >>>> #semanage user a L s0 r s0s0 L "myuser1_r" P user myuser1 >>>> #useradd Z myuser1 myuser1 >>>> >>>> I did all the step when i try login in system following error will > display. >>>> gtt login: myuser >>>> password: XXXXXX >>>> >>>> -bash: /home/myuser/.bash_profile: Permission denied >>>> -bash-3.1$ >>>> >>>> Please give what should i have to do. >>>> >>>> Thanks, >>>> Prakash. >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Which OS and Version. > > Depending on the policy you might need to relabe the homedir to get the > labels correct. > > restorecon -R -v /home > >> > ------------------------------------------------------------------------ > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Please attach the AVC messages from /var/log/audit/audit.log. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmoOc0ACgkQrlYvE4MpobNI/QCeOM9/9g9s3qIEb/b +w5gdGF3e VxYAnROI42+yd2xSycJJPqEVjovwMuVA =zXsG -----END PGP SIGNATURE------- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dominick Grift wrote:
On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote:
Hi All,
Thanks for replay to me. This is am getting audit messages form /var/log/audit/audit.log.
type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure } for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22 items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old auid=4294967295 new auid=527 type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=prakash:prakash_r:prakash_t:s0 selected-context=prakash:prakash_r:prakash_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure } for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59 success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22 items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Thanks,
Prakah
The issue is that RHEL5 targeted policy is not designed to target user domains.
The avc denials that you provided do not give me a clue about what is stopping this from working.
It may well be that the denials responsible is hidden.
You can expose hidden denials using :
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
To restore the defaults you would execute:
# semodule -b /usr/share/selinux/targeted/base.pp
After you have exposed the hidden avc denials you may be presented with more clues in audit.log as to what is stopping functionality.
But again, the big issue here is that RHEL5 targeted policy is not designed to target users.
This functionality does work in Fedora 9 and up.
hth , Dominick
On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh dwalsh@redhat.com wrote:
prakash hallalli wrote:
Hi All,
I am using CentOS-5 x86_64, I have followed what uhave sent the
steps. But still i am getting same user login problem. I am
not able to
login user properly in system.
These are i have followed the steps.1. Create a source policy module:-#cd /home/prakash #vi prakash.te policy_module(prakash, 0.0.1) role prakash_r; userdom_unpriv_user_template(prakash);2. Build the source policy module:#make -f /usr/share/selinux/devel/Makefile3. Install the binary policy module:#semodule -i prakash.pp4. Create default contexts for prakash:#cd /etc/selinux/targeted/contexts/users #vi prakash system_r:system_local_login_t:s0prakash_r:prakash_t:s0
system_r:remote_login_t:s0prakash_r:prakash_t:s0
system_r:sshd_t:s0prakash_r:prakash_t:s0
system_r:crond_t:s0prakash_r:prakash_t:s0
system_r:xdm_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_su_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_sudo_t:s0prakash_r:prakash_t:s0
system_r:initrc_su_t:s0prakash_r:prakash_t:s0
prakash_r:prakash_t:s0prakash_r:prakash_t:s0
- Create a SELinux user mapping for prakash:
#semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P userprakash
- Add new prakash user for user1:
#useradd -Z prakash user1
- when i will try to login in the system, will get
permission denied
message.
gtt login: user1 password: XXXXXX
-bash: /home/user1/.bash_profile: Permission denied -bash-3.1$id uid=524(user1) gid=525(user1) groups=525(user1) context=prakash:prakash_r:prakash_t
I tryed to one more user then all so i got same problem.
I am not sure
what i did the mistakes, Please help me what i have to do.
Thanks, Prakash, k, h.
On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh
dwalsh@redhat.com wrote:
prakash hallalli wrote:
Hi All,
I have created 'myuser' user and created custommodule policy
for
user. I have installed successfully module, but when i
logging myuser in
i will get bash prompt. I have followed as below steps for creatingmodule.
#vi myuser.te policy_module(myuser, 0.0.1) role myuser_r;
userdom_unpriv_user_templete(myuser)
#make -f /usr/share/selinux/devel/Makefile #sudo semodule i myuser.pp #semanage user a L s0 r s0s0 L "myuser1_r" P user
myuser1
#useradd Z myuser1 myuser1
I did all the step when i try login in system following
error will
display.
gtt login: myuser password: XXXXXX
-bash: /home/myuser/.bash_profile: Permission denied -bash-3.1$
Please give what should i have to do.
Thanks, Prakash.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Which OS and Version.
Depending on the policy you might need to relabe the homedir
to get the
labels correct.
restorecon -R -v /home
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the AVC messages from /var/log/audit/audit.log.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes if you want to write targeted user protection in RHEL5 you need to use strict or MLS Policy not targeted.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
prakash hallalli